SAP Cyber Threat Intelligence report – February 2019

The SAP threat landscape is always expanding thus putting organizations of all sizes and industries at risk of cyber attacks. The idea behind the monthly SAP Cyber Threat Intelligence report is to provide an insight into the latest security vulnerabilities and threats.

Key takeaways

The set for February 2019 consists of 16 security notes.

Two of the released SAP Security Notes were assessed at Hot News.

The most severe security issue was assessed at 9.8 of 10 by CVSS base score.

This month, Cross-Site Scripting, Missing Authorization Check, and Information Disclosure are the most common vulnerability types.

SAP NetWeaver ABAP platform has most of all vulnerabilities fixed this month.

SAP Security Notes – February 2019

SAP has released the monthly patch update for February 2019. This set closes 16 SAP Security Notes. Three patches are updates to previously released Security Notes.

Two of the released SAP Security Notes are Hot News with the highest CVSS base score of 9.8 and 9.4.

Below is a chart that illustrates the SAP security notes distribution by priority.

This time, Cross-Site Scripting, Missing Authorization Check, and Information Disclosure have become the largest groups in terms of the number of vulnerabilities.

SAP Security Notes Distribution by Vulnerability Type – February 2019

Most of the vulnerabilities belong to the SAP NetWeaver ABAP platform, as a pie chart shows below.

Affected Platforms – February 2019

SAP users are recommended to implement security patches as they are released as it helps protect the SAP landscape.

Critical issues closed by SAP Security Notes in February 2019

The following SAP Security Notes can fix the most severe vulnerabilities of this update:

2742027 SAP HANA Extended Application Services have a Missing authentication check vulnerability (CVSS Base Score: 9.4; CVE-2019-0261). An attacker can use the vulnerability for accessing a service without any authorization procedures and use service functionality that has restricted access. This can lead to information disclosure, privilege escalation, and other attacks.

2729710 SLD Registration of ABAP Platform has an XML External Entity (XXE) vulnerability (CVSS Base Score: 8.7; CVE-2019-0265) An attacker can use an XML External Entity vulnerability to get unauthorized access to OS filesystem. The attacker can send specially crafted unauthorized XML requests, which will be processed by the XML parser.

2724014 SAP Disclosure Management has a Missing Authorization check vulnerability (CVSS Base Score: 8.3; CVE-2019-0258). An attacker can use the vulnerability to access a service without any authorization procedures and use service functionality that has restricted access. This can lead to information disclosure, privilege escalation, and other attacks.